an interview with mudge

by Mudge
<[email protected]>

Mudge is VP of R&D for @Stake Inc.

[Editor's Note: Mudge was formerly CEO and Chief Scientist for the L0pht, which recently merged with @Stake. Rob Kolstad interviewed Mudge via email during the week of February 7, 2000.]

Rob: I know that many people don't have a clear picture of L0pht Heavy Industries. Can you tell us about the organization's (former) function?

Mudge: The L0pht, now @Stake's R&D leg, started out as a loose organization of people in the same geographic area. The common bond was that we were (and still are) driven by our interest in technology and security. We chipped in to get a storage space for the various computers, peripherals, and components that we had all amassed over the years. That was back in 1992 and was the first physical manifestation of the L0pht.

We promptly started setting up controlled test environments and creating a laboratory for development and testing. The one thing that was really lacking was an established body of work on network security. We decided that one of our goals would be to create such information and disseminate it. This turned into the collections such as the Whacked Mac Archives, the Black Crawling Systems, and the Advisories we released. We tried to document our research methodologies and results when looking at new technologies or security areas.

What we ended up becoming was the unofficial consumer watch group on network and computer security. We were not owned by a particular political group or vendor so we could speak our mind — and people could take what we said at face value. There was no hidden agenda of "Are they trying to sell product, promote a service they are offering, or sway people's alliances towards a particular angle?" All we wanted to do was to make sure that mistakes we discovered were being made were fixed and that others could learn from them rather than continuously repeat them. We feel that we succeeded there.

Rob: How did you develop such a strong background in security?

Mudge: All of us are perpetually curious about the world around us. As such we strive to understand how things work, fall apart, and can be improved on. This is something that must have been instilled early on in life as all of us seem to have it at the L0pht — er, @Stake R&D labs — no matter what it is we are working on. Art, music, cars, engineering, programming, etc. Much the way some people are avid crossword-puzzle enthusiasts, we see everything that is presented to us in as many possible angles and lights as we can.

Rob: Going forward, L0pht has become the R&D leg of @Stake. Can you describe the timing and new business functions? How will you enable the company to make money?

Mudge: The L0pht has been a real corporation for the past several years. A lot of people did not realize this. We started to see a trend in the larger organizations recognizing the value and talent that we had amassed. Many of the larger companies attempted to either purchase us outright or exclusively license all of our technologies. We declined over and over again. Finally, we decided to go out and see if there were any other companies that had the same long-term goals and vision as ours. That is when we found @Stake. We were looking for people who understood the value of being largely above reproach — i.e., no hidden agendas when dealing with customers or clients. We were looking for people focused not only on the tactical cleanup of problems once someone else points them out but also in providing strategic solutions to involve security at the beginning. We believe we found them.

The R&D group drives value in the custom research and the few extreme jobs that we take on for clients. We are always trying to look at problems that, when solved, will offer improvements and longer-term solutions, not just stopgap fixes. These forays
into emerging technologies farm out nuggets, gems, and offerings to the general professional-services organization. We have known how to reap the benefits from our R&D work but were previously unable to figure out how to scale. That's where the @Stake management team comes in.

John Rando, in particular, is amazing. This is, after all, the man who was in charge of Digital Equipment Corp.'s services organization worldwide ($8 billion revenue, 25,000 employees) and then subsequently all of Compaq's. He is generally recognized as the examplar of how to run a services organization. Of course, just to make sure we had an overabundance of techie know-how, we snagged Dan Geer as our CTO.

Rob: How much does a good security audit cost, anyway?

Mudge: My belief is that most people do not know what a good security audit is in the first place. Many believe that a security audit is comprised of scanning your systems to look for known holes that have been posted to bugtraq or other security mailing lists (and often by places such as the L0pht). This is a reactive mechanism for dealing with security. Can we do this? Yes. Can we do better? Yes.

The first thing a good security audit should start out with is a solid understanding of what the customer's current business is and what they need to accomplish in the future. Only then can one weigh the risks and benefits of particular practices against security. More important, the methods and mechanisms put in place to patch existing problems need to be in line with future directions. What good is it to put a fix in place that has to be yanked out later because it impedes your organization's capability to do business?

If you look at the distributed denial-of-service attacks that just took place, which would make more sense? Wait until we are where we are right now and then install committed access rates at the Web service provider and start thinking about filtering RFC1918 and IANA reserved networks, or to think about what the business is in the first place: offering extremely large-throughput Web services, thus coming to the conclusion that CAR along with anti-spoofing rules would make sense as due diligence.

Rob: Security is such a wonderful thing to sell because it's hard to measure. Do you have any means of measuring it? Or is that counterproductive, in the sense that one can never be secure enough?

Mudge: Ahh, that's the old way of looking at things. We are going to see a wonderful paradigm shift in how people look at security. It used to be a cost center. It used to be a situation where you had to justify the security budget and only the IT organization held the purse strings. Now security is a revenue creator. After all, if I can figure out a way of securely offering access to more internal components, I can drive business. It is the different business units that are working toward new models of conducting business, offering services, and therefore incorporating security. But this will only work when we start looking at security from a strategic vantage point and not a tactical one. The world is becoming more decentralized and distributed and as such the old security model of bandage after the fact becomes unscalable.

Rob: Thanks!